Denial of Service (DoS) attack is a serious threat for the Internet. DoS attack can consume memory, CPU, and network resources and damage or shutdown the operation of the resource under attack (victim). A common DoS attack floods a network with bogus traffic so that legitimate users may not be able to communicate. There are several proposals to {\\em traceback} the network attack path to identify the source that causes the DoS attack. This is an effective solution to trace the attacker but it is not preventive in nature. {\\em Ingress filtering} and {\\em Route-based filtering} are two proactive approaches to stop DoS attacks. These solutions check source addresses of incoming packets to ensure they are coming from legitimate sources or traversing through proper routes.  We study several existing schemes that deal with DoS attacks. We describe several network monitoring approaches to detect service violations and DoS attacks. In addition, we propose a new distributed scheme to reduce monitoring overhead. Finally, a quantitative comparison among all schemes is conducted, in which, we highlight the merits of each scheme and estimate the overhead (both computation and communication) introduced by it. The comparison provides guidelines for selecting the appropriate scheme, or a combination of schemes, based on the requirements and how much overhead can be tolerated.

AODV (Ad Hoc On-Demand Distance Vector) is one of the hottest routing protocols under research for Ad Hoc networks. In this technical report, we study both the strong points and vulnerabilities of AODV under internal attacks from security perspective. On the strong points, we focus on the features of combination of multicast and unicast, fast expiration of reverse route and freshness of routing information. For the vulnerabilities, we take a thorough look at various problems related to spurious RREP (Route REPly) with false distance vector and destination sequence number, malicious RREQ (Route REQuest) flooding and forge Route Error (RERR). The impacts of these vulnerabilities are simulated using NS2 and the results are shown. Among all of the vulnerabilities, the attack to destination sequence is the worst. We design and implement a protocol called Reverse Labeling Restriction Protocol (RLRP) to detect and protect the Ad Hoc network from this attack. The effectiveness of RLRP is analyzed and simulated using NS2. The results show that the protocol could effectively identify the compromised site and impressively increase the performance of the Ad Hoc network with limited overhead. We also examine the robustness of RLRP to other attacks.

The security threats involved in any software system are due to unanticipated attacks by hackers or terrorists. Research in security concentrates on providing technical solutions to these security threats [1, 2].These solutions might not work well once the assumed attacker behavior changes. Attackers quickly understand the current security structure of the system and come up with innovative ways to achieve their objectives. In order to estimate the objectives and possible attacks, one needs to know the behavior of a hacker. This report proposes the design for the simulation of a hacker as an intelligent learning agent, which can be used to observe the behavior change patterns and enhance the existing solutions to security threats. The design supports the following: 1) The hacker learns from his experience and also from the information provided by the other hackers. 2) The mistrust component is used to decide on the extent to which the information provided by other hackers can be relied upon.

Whether the server entity is centralized or distributed over a set of delegates (caches/proxies), the client/server paradigm for media streaming services stresses the server to the limit by having it serving each and every client in the system. Such a paradigm dictates an enormous—-and likely unattainable—-investment in deploying numerous caches/proxies in order to provide media services to large Internet-scale customers.

We envision a cooperative peer-to-peer paradigm as a potential solution for such a fundamental problem.  We propose a novel peer-to-peer media distribution model   that scales well to a large number of clients with a modest overall system cost. We describe the advantages as well as the challenges facing   the proposed model. We present the details of the model including: how the overall system is initially formed, how the system evolves as more peers join, and how peers help each other to provide the streaming service.  We evaluate various aspects of the proposed model through an extensive simulation study.

Researching the vulnerabilities and security concerns of WinCE-based Personal Digital Assistants (PDAs) in an 802.11 wireless environment resulted in identifying CAN-2001-{0158 to 0163}. The full understanding and demonstration of some vulnerabilities would have required reverse engineering ActiveSync, which was beyond the scope of this research. Moreover, the WinCE IP stack demonstrated unstabilities under a number of attacks, one of which produced symptoms in hardware. The inaccessibility of the 802.11b standard documentation was a source of delays in the research; however, we created three proof-of-concept applications to defeat 802.11b security. One collects valid MAC addresses on the network, which defeats MAC-address based restrictions. Another builds a code book using known-plaintext attacks, and the third decrypts 802.11b traffic on-the-fly using the code book.

This paper presents the purpose, goals, accomplishments, and design details of this CS 490 project: design and implementation of improved security measures for wireless networks.

Ad hoc networks may not be suitable for “non ad hoc” applications due to resource, mobility, traffic pattern and incompatible wireless MAC protocols issues. We propose the Hierarchical Mobile Wireless Network for providing flexible and scalable network services to these applications. In such a system, mobile hosts are organized into hierarchical groups. Four basic operations that are used to set up and maintain the network structure are described. An efficient protocol for group membership management is discussed. The Segmented Membership-based Group Routing protocol is presented. In this routing protocol, only local message exchanging is required. Simulation-based experiments confirm the scalability of our design.

Digital Watermarking, in the traditional sense is the technique of embedding un-detectable (un-perceivable) hidden information into multimedia objects (i.e. images, audio, video, text) mainly to protect the data from unauthorized duplication and distribution by enabling provable ownership over the content.
  Recent research of the authors introduces the issue of digital watermarking for generic number sets. In the present paper we expand on this foundation and introduce a solution for relational database content security through watermarking. To the best of our knowledge there is no research on this issue. Our solution addresses a series of important attacks, such as data re-sorting, subset selection (up to 30% and above data loss tolerance), linear data changes. Finally we present dbwm.*, a proof-of-concept implementation of our algorithm and its application on real life data, namely in watermarking data from the outsourced Wal-Mart sales database of the years 1999-2000.

A good direction towards building secure systems that operate efficiently in large-scale environments (like the World Wide Web) is the deployment of Role Based Access Control Methods (RBAC). RBAC architectures do not deal with each user separately, but with discrete roles that users can acquire in the system. The goal of this paper is to present a classification algorithm that during its training phase, classifies roles of the users in clusters. The behavior of each user that enters the system holding a specific role is traced via audit trails and any misbehavior is detected and reported (classification phase). This algorithm will be incorporated in the Role Server architecture, currently under development, enhancing its ability to dynamically adjust the amount of trust of each user and update the corresponding role assignments.

This paper describes the design of a censorship-resistant distributed file sharing protocol which has been implemented on top of GNUnet, an anonymous, reputation-based network. We focus on the encoding layer of the GNUnet file-sharing protocol which supports efficient dissemination of encrypted data as well as queries over encrypted data. The main idea advocated in this paper is that simple cryptographic techniques are sufficient to engineer an efficient data encoding that can make it significantly harder to selectively censor information. Our encoding allows users to share files encrypted under descriptive keys which are the basis for querying the network for content. A key property of our encoding is that intermediaries can filter invalid encrypted replies without being able to decrypt the query or the reply. Files are stored in small chunks which are distributed and replicated automatically by the GNUnet infrastructure. Additionally, data files may be stored in plaintext or encrypted form or as a combination of both and encrypted on demand.